Since 2016 and until June 2020, the European Union and the United States had an agreement by which the data of European users could be transferred to the United States by American companies, in order to manage and operate them.
A program called Privacy Shield was created to enable data mining companies like Facebook to save the US’s face as the country did not provide adequate privacy guarantees. Then, in mid-July, the Court of Justice of the European Union decided to suspend Privacy Shield.
With the approval of the General Data Protection Regulation – an effort the European Commission made to “better regulate the privacy of European users” – Privacy Shield is a thing of the past and Ireland’s preliminary order to force Facebook to keep user data withing Irish borders is proof of that.
Privacy Shield hosted more than 5,000 US companies with permission to transfer data from their European users to the United States. After Ireland’s decision and the precedent with Facebook, all could be affected in the future.
Facebook has received a preliminary order from the Irish Data Protection Commission, which states that the company will no longer be able to send the data of its European users to its servers in the United States.
This is the first action against a technology company after the European justice decided to annul Privacy Shield, in July.
The order has been sent from Ireland, not by chance, but because there is where Facebook houses its European headquarters.
Ireland has sent it the order to Facebook, but the measure will affect all member countries of the European Union (EU) equally.
“The order must be fulfilled without waiting for the endorsement of the rest of the Data Protection Authorities of the other members of the EU. In fact, if any other data protection authority of any of the remaining members had the power to issue such a preliminary order, it could also do so ”, explains Natalia Martos, CEO and founder of Legal Army.
This court order forces Facebook – and could serve as a precedent against other big tech companies – to devise a new strategy to isolate most of the data it collects from European citizens or to temporarily suspend it.
It is not a matter to be taken lightly, since the General Data Protection Regulation (GDPR) provides for fines of up to 4% of annual turnover, which in the case of Facebook could amount to up to 2,8 billion dollars.
Time is running out and not necessarily in favor of the social network. The Irish Data Protection Commission has given the company “until mid-September” to respond to the order.
As The Wall Street Journal has advanced, Ireland intends to send a draft of the complete order to all the countries of the European Union on September 26.
Why has Ireland sent the request to Facebook and not to another companies? Why Mark Zuckerberg first? For Martos, the answer lies in the amount of data the company handles.
“They have started with Facebook because it is the social network with the largest number of users and, therefore, with the highest data traffic between the EU and the United States, if we add the three platforms that belong to the company; Instagram, WhatsApp and Facebook ”, she explains.
According to the latest study developed by We Are Social and Hootsuite, as of January this year, the company had a total of 5 billion users; 2.44 billion on Facebook, 1.6 billion on WhatsApp and 1 billion on Instagram.
With a court order in the mailbox, Facebook has not been slow to respond, alluding that what is being asked is not an easy task and it will take time.
Through a statement, the company has said that if this decision comes into force it would have serious consequences for users.
“The lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek recovery from COVID-19,” the statement reads.
Likewise, Facebook has called on the European Union to adopt “a proportionate and pragmatic approach to minimize disruption to the many thousands of companies that, like Facebook, have relied on these mechanisms in good faith to transfer data securely.”
If the prohibition of sending data to the United States is complied with, the company would not have it easy. Facebook would have to manage the data of European users on servers that are not in the United States and migrate everything to servers in another territory. Perhaps even within the European Union.
“It could be a very severe blow to the digital economy for companies in the United States”, Facebook claims, since European companies are likely to seek suppliers located in the region to continue maintaining their digital activity. Facebook could also resort to legal channels.
“It would have to initiate a procedure where it requests precautionary measures before the Court so that the suspension of the transfer of data does not take place until a judicial process is concluded to determine whether or not the order from Ireland is legitimate”, advises Martos.
Although the preliminary order is only directed at Facebook, the rest of the clan of tech giants – Amazon, Google, Apple and Microsoft – have turned on all the alerts, since if Ireland or any other EU data protection authority decides something in similar terms for them, they may also be affected.